IT Security News Blast 5-12-2017

“The 2011 statistic that ’60 percent of businesses close within 6 months of a cyberattack’ is not from NCSA and its original source cannot be confirmed,” Michael Kaiser, the Alliance executive director, said in a statement responding to an Information Security Media Group inquiry about the statistic. “We recommend that media, policy makers, small businesses and others not use that statistic and rely upon information that is current and relevant.

McKinsey & Company estimates the IoT ecosystem will generate $6 trillion in value by 2025. Successful IoT offerings rely on the perception of benefit they can deliver to businesses and consumers while creating a proportionate foundation of security, trust, and data integrity. There are important ways that IoT technology can reduce data security risk while improving customer experience in a connected world.

The study looked at Internet security vulnerabilities that could involve industrial robots used on manufacturing lines in areas such as the automobile and aerospace industries. […] “I’m shocked that anyone would consider attaching anything to the internet without making sure it was secured,” said Dan Olds, an analyst with OrionX. “This applies to everything from home thermostats to big robotic arms. Everything attached to the internet is vulnerable to hacking.”

AI, IoT and the end of Moore’s Law add to US national security worries

The report warned that while the US currently leads AI research, other countries are also building their capabilities. “The implications of our adversaries’ abilities to use AI are potentially profound and broad. They include an increased vulnerability to cyber attack, difficulty in ascertaining attribution, facilitation of advances in foreign weapon and intelligence systems, the risk of accidents and related liability issues, and unemployment,” the report said. On the IoT, it warned that enemies are likely to seek capabilities “to hold at risk” US critical infrastructure as well as connected consumer and industrial devices.

US government and intelligence officials are apparently concerned that Kaspersky’s software, which is distributed worldwide, could be used to spy on US citizens or launch attacks to sabotage critical infrastructure. Some of these fears stem out of the fact that Kaspersky is based in Moscow and its founder and chief executive, Eugene Kaspersky was trained by the KGB and worked as an intelligence officer in Soviet Russia’s Red Army.

After the Cold War, Russian elites believed that European Union and NATO enlargement, and Western efforts at democracy promotion, were designed to isolate and threaten Russia. In response, they tried to develop Russian soft power by promoting an ideology of traditionalism, state sovereignty, and national exclusivity. […] Information warfare can be used offensively to disempower rivals, and this could be considered “negative soft power.” By attacking the values of others, one can reduce their attractiveness and thus their relative soft power.

With James Comey Out at the FBI, American Privacy Could Take a Hammering

As Amie Stepanovich, a policy manager at a surveillance reform public-interest group called Access Now, said to Recode, Trump has “consistently appointed officials that support gross expansions of government authority at the expense of individual rights.” She added that people may be right to be “worried about who Trump is going to recommend for that position.”

Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive. This type of debugging turns the audio driver effectively into a keylogging spyware.

The vulnerabilities were found in a native web interface on the devices and allow an attacker on the same local network to change router settings, steal Wi-Fi passwords or leak system information. ASUS addressed all but one of the disclosed vulnerabilities, an issue found in two JSONP endpoints that leak some information about the router without the need for the attacker to be logged in.

The attack didn’t ask users to enter credentials. Instead, it exhibited very few traditional phishing scam behaviors and couldn’t have been detected by endpoint protections. Some researchers are calling this attack a “game changer” that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy.

A copy of the signed order wasn’t immediately available, but the White House press briefing revealed some details about the order. Department of Homeland Security adviser Tom Bossert previewed Trump’s executive order at the briefing, saying it lays out three US cybersecurity priorities. The priorities are to protect federal networks, critical infrastructure and US public.

Even with executive order, U.S. President Trump continues to trip over cybersecurity

“The measures in the executive order will serve as incremental changes to existing policies, while the Trump administration has otherwise either ignored or undermined pressing digital security threats internet users face,” said Drew Mitnick, Policy Counsel at Access Now. “The action does not touch several critical areas, like the insecurity of ‘Internet of Things’ devices, data breaches, or vulnerability disclosure,” continued Mitnick.

Rather than focus on hygiene at the user level, the federal government should push higher-level protection functions by the government. The recommendations were included in the White House Cybersecurity Commission Report issued in December 2016. “The problem is getting worse and we are losing,” Chabinsky said. “We are following a failed strategy that can and must be changed.” Additional solutions could also be more innovative approaches by the military and the federal government, according to Johnson and McCaskill.

Stavridis outlined two ways the U.S. could go after Putin’s wealth: “By attacking his accounts, and diminishing them, or by simply revealing them to his people,” Stravidis said. “You are currently seeing Prime Minister (Dmitry) Medvedev under enormous political pressure in Russia, a whole series of demonstrations around the country, tied to revelations about his offshore financing, his yachts, his multiple luxury goods. That kind of reveal would have a salutary effect.”

In theorising how an accidental nuclear war might happen, Gaycken proposed two potential outcomes. The first suggests that one of the major powers – in this case, Russia – has built an updated version of a ‘dead hand’ trigger in its computer systems. If a virus is able to crash a launching mechanism’s systems, the dead hand trigger will presume that the government has been lost to a nuclear attack and will fire in false retaliation.

Sold for around $400, Philadelphia is a updated version of an RaaS product known as Stampado. In an interview with SC Media, Sergey Shykevich, head of research at ClearSky, said that for a week in mid-April the Philadelphia spam campaign was sending between five and 10 spam advertisements per day. “Jabber spam advertising illegal services [has become] more popular lately,” said Shykevich. Such activity suggests that Rainmaker is expanding its activity and marketing budget, the company theorizes in its blog post.

The problem is that the advertising networks that connect advertisers and publishers don’t have adequate screening in place to ensure that the advertisers are legitimate, that the publishers are legitimate, and that the ads are seen by real people and not bots. But that’s starting to change. […] The company turned things around by investing in technology to screen its advertisers, its publishers, and its ad viewers.

Bypassing encryption: “Lawful hacking” is the next frontier of law enforcement technology

A lawful hacking approach offers a solution that appears to gain greater favor with experts than encryption backdoors. A group of scholars proposed some ways we should begin thinking about how law enforcement could hack. Agencies are already doing it, so it’s time to turn from the now-ended debate about encryption backdoors and engage in this new discussion instead.

Unit 42, the Palo Alto Networks threat intelligence team, has uncovered several iterations of the Nemucod downloader malware that uses heavily obfuscated JavaScript to deliver payloads to unwitting victims. While the malspam phishing scourge has most heavily hit Europe, the United States and Japan are the two next heavily impacted regions. The data-stealing trojan is targeting various industry sectors and arrives as spam using SMTP, POP3 and IMAP applications, arriving mainly from Poland (or from domains with Polish names), the researchers detected.

A new wave of tools, from low-cost to free open source software (FOSS), aim to help with tasks like network scanning and penetration testing. Some of these tools are tailored for specific purposes while others cross several domains. While free tools sound great, their usefulness varies from business to business. For some organizations, they are helpful means of solving small problems. For others, they are too “siloed” to be effective.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.